Blast from the past.
Sunday morning, recreationally rummaging through a box of old equipment, I find a tiny PIX 501. And it still powers up!
This PIX has probably been retired from the field, so there’s a password, of course. On a console connection, the first thing to try is the default username (pix) and the default password (password). Oooh, denied. OK, let’s try to connect over the network via Telnet or SSH with default password of cisco. Nope, you shall not pass, my little Balrog.
Fortunately, the password is easily reset using the PIX Password Lockout Utility which resets passwords, but not the PIX config. Cisco.com has the downloadable utility for all versions of the PIX OS up to version 7.x. The procedure is similar to that of resetting the password on a Cisco ASA.
This is what you need:
- Computer running terminal emulator software to talk to the PIX
- Console cable connected from computer to console port of the PIX
- TFTP server
- Straight-through Ethernet cable to connect the PIX to the network (or directly to the TFTP server)
- PIX Password Lockout Utility for the version of the PIX OS that is installed on the PIX
So, first thing to do is find out what version IOS is running on the PIX. On a console connection, you can do a show version command, or power cycle the PIX and look for the version information that appears right after the retro Golden Gate bridge logo.
----------------------------------------------------------------------- || || || || |||| |||| ..:||||||:..:||||||:.. c i s c o S y s t e m s Private Internet eXchange ----------------------------------------------------------------------- Cisco PIX Firewall Cisco PIX Firewall Version 6.3(5)
Now that I know what version of the PIX OS is installed, I go to this page at cisco.com and download the utility file. In my case, I download np63.bin to my laptop.
My laptop has TFTPD32 installed on it, so it can double as the TFTP server.
I give my laptop a static IP address and connect it to one of the Ethernet ports on the PIX.
Then I reboot the PIX and hit the BREAK or ESC key when prompted.
Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 Platform PIX-501 Flash=E28F640J3 @ 0x3000000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:17 irq:9 ) 1: i8255X @ PCI(bus:0 dev:18 irq:10)
10 years? Jeepers.
I’ve connected my laptop to the inside interface, so that is interface 1.
monitor> interface 1 0: i8255X @ PCI(bus:0 dev:17 irq:9 ) 1: i8255X @ PCI(bus:0 dev:18 irq:10)
I configure a temporary IP address for interface 1 on the PIX (22.214.171.124), and tell it that the TFTP server is at 126.96.36.199. I don’t need to specify a gateway since my laptop (the TFTP server) is directly connected to the inside interface of the PIX.
Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: x0x0.x0x0.x0x0 monitor> address 188.8.131.52 address 184.108.40.206 monitor> server 220.127.116.11 server 18.104.22.168
I tell the PIX that it should retrieve the file np63.bin from the TFTP server, and I test connectivity with a ping.
monitor> file np63.bin file np63.bin monitor> ping 22.214.171.124 Sending 5, 100-byte 0xbbf7 ICMP Echoes to 126.96.36.199, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5)
The tftp command tells the PIX to download the np63.bin file from my laptop. Then I am prompted to pick which passwords I want removed.
monitor> tftp tftp firstname.lastname@example.org..................................................................................................................................................................................... Received 92160 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 Flash=E28F640J3 @ 0x3000000 BIOS Flash=E28F640J3 @ 0xD8000 Do you wish to erase the passwords? [yn] y The following lines will be removed from the configuration: enable password blahblahblah encrypted passwd blahdeblahblah encrypted aaa authentication serial console LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL Do you want to remove the commands listed above from the configuration? [yn] y Passwords and aaa commands have been erased. Rebooting....
Upon reboot, there is no Username prompt, and I can get into enable mode with a blank password.
BranchPix501> en Password: BranchPix501# 502103: User priv level changed: Uname: enable_1 From: 1 To: 15 111008: User 'enable_1' executed the 'enable' command.